Last modified: 2014-10-24 16:34:30 UTC
Find a way to make all new instances created in the deployment-prep project point to the puppet and salt masters on the deployment-salt instance by default. This would entail adding the role::puppet::self and setting these global puppet variables: deployment_server_override: deployment-bastion.eqiad.wmflabs salt_master_finger_override: dd:d8:68:70:8c:65:a3:af:46:5c:3f:4f:d4:be:6c:71 salt_master_finger_override: deployment-salt.eqiad.wmflabs puppetmaster: deployment-salt.eqiad.wmflabs
SMW query to see how eqiad hosts are configured: https://wikitech.wikimedia.org/w/index.php?title=Special%3AAsk&q=%5B%5BResource+Type%3A%3Ainstance%5D%5D%0D%0A%5B%5BProject%3A%3Adeployment-prep%5D%5D%0D%0A%5B%5BRegion%3A%3Aeqiad%5D%5D&po=%3FPuppet+Var%0D%0A&eq=yes&p%5Bformat%5D=broadtable&sort%5B0%5D=Modification+date&order%5B0%5D=DESC&sort_num=&order_num=ASC&p%5Blimit%5D=200&p%5Boffset%5D=&p%5Blink%5D=all&p%5Bsort%5D=Modification+date&p%5Bheaders%5D=show&p%5Bmainlabel%5D=Instance&p%5Bintro%5D=&p%5Boutro%5D=&p%5Bsearchlabel%5D=%E2%80%A6+further+results&p%5Bdefault%5D=&p%5Bclass%5D=sortable+wikitable+smwtable&eq=yes
Should we set those parameters directly in the puppet manifests? This way whenever an instance is created it will be configured to point to that puppet master. Maybe just after manifests/realm.pp
For now, manual instructions on configuring a host are given at https://wikitech.wikimedia.org/wiki/Nova_Resource:Deployment-prep/How_code_is_updated#Converting_a_host_to_use_local_puppetmaster_and_salt_master
We still need to have to set the configuration manually. Pointing to the local puppet seems easy enough, I am not sure how we could automatically sign the puppet/salt keys though :(
Both salt <http://docs.saltstack.com/en/latest/ref/configuration/master.html#auto-accept> and puppet <https://docs.puppetlabs.com/puppet/latest/reference/ssl_autosign.html> can be configured to automatically sign keys. I personally don't see that there would be an sort of serious security implications of making this work within the beta cluster. Yuvi and Giuseppe are working on integrating wikitech and hiera in such a way that it should be possible to setup per-project configuration that can automate adding the proper roles and settings to all hosts in the deployment-prep project. The trickiest part will probably be trying to find a way to automate removing the salt key for the labs wide master so that the project specific master's key can be saved on each host.